Confide, The Messaging App Used By White House Staff, Sued For Being Unsecure

Usually, something that is used by the White House is considered to be safe, but that may not be the case with the messaging app Confide. A Michigan man sued the app, accusing it of not being as secure on the desktop as it is on mobile devices. This app is reportedly used by Republicans in the Trump White House.

Confide not giving same protection for desktop and mobile versions

The lawsuit — filed in federal court in New York on Thursday — claims that unlike the mobile version, which prevents screenshots, the Windows desktop version fails to block screenshots. In the Mac OS and Windows versions, the entire message is visible in one view, unlike in the mobile version, where one has to read line-by-line. In addition, these two desktop platforms also don’t offer notifications of screenshot.

“By failing to offer the protections it advertised, Confide not only fails to maintain the confidentiality of messages sent or received by desktop App users, but its entire user base,” reads the civil complaint filed by the lawyers for plaintiff Jeremy Auman. Law firm Edelson PC, which specializes in consumer privacy cases against tech firms, is representing Auman.

The lawsuit claims that Confide fails on two of the three requirements it considers vital for secure communications: screenshot protection and ephemerality. Further, it said that the company knows that it has failed to deliver on the promise of making a secure communication channel available. Due to such failures, the company made sure that a message sent via its platform “is (and has been) at risk of storage,” and users who believed that they are using a secure platform for exchanging “confidential and potentially compromising information” are now facing the risk of that data being used against them, the lawsuit alleges.

“Not surprisingly, the accusations set forth in the complaint are unfounded and without merit. We look forward to responding to this frivolous complaint and seeing this case swiftly thrown out of court,” Jon Brod, one of Confide’s co-founders, told Ars Technica in a statement.

Researchers did find it vulnerable

According to Auman, such issues with the app qualify as false advertising. The plaintiff also states that had he known of such issues in the desktop version of the app, he wouldn’t have spent $7 a month for the premium version. What’s interesting to note is that Auman’s lawsuit comes a month after research published by Quarkslab indicated that Confide’s end-to-end encryption is not as secure as it is advertised to be, notes TechCrunch.

Jonathan Zdziarski, a mobile forensics consultant who now works for Apple, also raised questions about Confide’s encryption previously, notes Ars Technica. In a blog post, Zdziarski said that what makes its encryption different is that “it appears to regenerate the public key” under a few scenarios.

For reasons unknown, Confide does not alert a user when “your public key changes,” unlike Signal and WhatsApp, said Zdziarski, adding, “Key exchange is always the most difficult part of good encryption routines.”

Further, the expert said that the app isn’t perfect and is vulnerable on a few counts, like it retains undelivered messages. Overall, the messaging app may work for personal chats, but “more proven technology” is recommended, said Zdziarski.